PHP 8.1: improve input validation for Requests_Transport_(fsockopen|cURL)
#499
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrfnl
force-pushed
the
php-8.1/fix-strlen-null-to-non-nullable
branch
from
ec0cadc
to
4e1b2e0
Compare
This was referenced Jun 21, 2021
jrfnl
force-pushed
the
php-8.1/fix-strlen-null-to-non-nullable
branch
from
4e1b2e0
to
eedad6d
Compare
schlessera
requested changes
Jul 30, 2021
…cURL)` PHP 8.1 deprecates passing `null` to non-nullable parameters for PHP native functions. Ref: https://wiki.php.net/rfc/deprecate_null_to_scalar_internal_arg The `Requests_Transport_fsockopen::request()` method passes `$request_body` into the PHP native `strlen()` function without sufficient validation, which on PHP 8.1 results in a `strlen(): Passing null to parameter #1 ($string) of type string is deprecated` notification. The existing `RequestsTest_Transport_Base::testEmptyPOST()` test method exposed this. When investigating this issue, I realized that no significant input validation was being done on the `$data` parameter. PR 368 in response to issue 248 added a test to verify that the "content-length" header was correctly set when `null` would be passed as `$data` and added a safe-guard specifically for when `null` would be passed. Also, as a matter of form, integers and floats were handled correctly for `fsockopen`, but anything else would lead to PHP errors in unexpected places in every supported PHP version, including integers and floats in combination with the `cURL` class. To mitigate this, I propose to: * Add a `Requests_Exception_InvalidArgument` class which extends the PHP native `InvalidArgumentException`. * Add input validation for the `$data` parameter to both the `cURL` as well as the `fsockopen` Transport class which maintains and stabilizes the pre-existing behaviour for handling of `null`, synchronizes the behaviour for integers and floats to be the same across `fsockopen` and `cURL`, but will throw the new `InvalidArgument` exception for any other type of unexpected input for the `$data` parameter. Includes additional tests covering this change.
jrfnl
force-pushed
the
php-8.1/fix-strlen-null-to-non-nullable
branch
from
eedad6d
to
4c7e3e2
Compare
schlessera
approved these changes
Jul 30, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PHP 8.1 deprecates passing
nullto non-nullable parameters for PHP native functions.Ref: https://wiki.php.net/rfc/deprecate_null_to_scalar_internal_arg
The
Requests_Transport_fsockopen::request()method passes$request_bodyinto the PHP nativestrlen()function without sufficient validation, which on PHP 8.1 results in astrlen(): Passing null to parameter #1 ($string) of type string is deprecatednotification.The existing
RequestsTest_Transport_Base::testEmptyPOST()test method exposed this.When investigating this issue, I realized that no significant input validation was being done on the
$dataparameter.PR #368 in response to issue #248 added a test to verify that the "content-length" header was correctly set when
nullwould be passed as$dataand added a safe-guard specifically for whennullwould be passed. Also, as a matter of form, integers and floats were handled correctly forfsockopen, but anything else would lead to PHP errors in unexpected places in every supported PHP version, including integers and floats in combination with thecURLclass.To mitigate this, I propose to:
Requests_Exception_InvalidArgumentclass which extends the PHP nativeInvalidArgumentException.$dataparameter to both thecURLas well as thefsockopenTransport class which maintains and stabilizes the pre-existing behaviour for handling ofnull, synchronizes the behaviour for integers and floats to be the same acrossfsockopenandcURL, but will throw the newInvalidArgumentexception for any other type of unexpected input for the$dataparameter.Includes additional tests covering this change.